0

As far I know sql injection definition is:

SQL injection is an application layer attack technique used by hackers to steal data from organizations by targeting web-based applications

If a SQL statement can be saved by a form submission, then should it be treated as a SQL injection until any data can't be manipulated?

Suppose I have a contact form having a textarea input. And someone put value: 

SELECT * FROM users

and my application allow to save such data. Is this treated as SQL injection?

marc_s
  • 675,133
  • 158
  • 1,253
  • 1,388
Abdus Sattar Bhuiyan
  • 2,812
  • 3
  • 26
  • 55
  • What if someone put DROP TABLE users? – PSK Apr 08 '18 at 09:56
  • What is the problem about that. Let me try here: DROP DATABSE. can you see the dangerous drop statement in my comment. If you can see, it proves it has been saved to the server where stackoverflow runs. But what happened for this comment? My sql statement is being shown as plain text. – Abdus Sattar Bhuiyan Apr 08 '18 at 10:04
  • 1
    If you are not executing it by any means, in that case it is a plain text only and will not create any problem. It should be fine. – PSK Apr 08 '18 at 10:06

1 Answers1

2

I don't know where you've got this definition of SQL Injection, but it's only partially accurate.

Wikipedia's definition is much more accurate:

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (...)

The crucial part to understand about SQL injection is how it actually works. A user named "Your Common Sense" have written a good, simple explanation about that right here.

In a nutshell, SQL Injection is the act of "injecting" SQL code into un protected SQL statements - thus allowing the attacker to find details about the database, sometimes up to the point that the attacker can take control over the entire data server.

Keeping complete SQL statements inside your database might be an open door to what's refered to as "Second order SQL injection" (Wikipedia, same page:)

Second order SQL injection occurs when submitted values contain malicious commands that are stored rather than executed immediately.

So, a direct answer to your question is: It depends. This might be a real SQL Injection threat.

You see, In order to successfully perform a second order SQL injection, simply storing SQL statements in the database is not enough - your application must also execute them (since the attacker does not have direct access to your database. If they did, they wouldn't need to mess around with SQL Injection anymore).

SQL injection risk can be eliminated entirely by using parameterized queries.

Second order SQL injection risk is only relevant if your application is designed to store complete SQL statements and then run them.
If your application is designed to do that, then you must defend yourself by not allowing the users to write free-text sql, but instead provide an interface for them to do it safely, while the back end will generate parameterized queries for them.

Zohar Peled
  • 73,407
  • 8
  • 53
  • 101